Overview

overview

10

Static

static

Shipping D...ts.exe

windows7_x64

10

Shipping D...ts.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Shipping Documents.exe

  • Size

    664KB

  • Sample

    220203-vt5kracdgr

  • MD5

    c35e97b32cab03a7fea48ccc3fb716b8

  • SHA1

    4b173de88a0bff2a405d37f0f59e222b9525c5a3

  • SHA256

    e8232a6b14f66804622f2ea2bfd8c2d8bfe5eef292f664c5801844b96a84d125

  • SHA512

    b1cacbfd4c2153d7b1adee03d5a3b72ca586df8aee48b2c0c7e08e0f039dda497eb67c7d0ac810c81112b4cfcd1b41da47a48d9308b088d60688a4815abd7071

Score
10/10
xloaderzqzwloaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

zqzw

Decoy

laurentmathieu.com

nohohonndana.com

hhmc.info

shophallows.com

blazebunk.com

goodbridge.xyz

flakycloud.com

bakermckenziegroups.com

formation-adistance.com

lovingearthbotanicals.com

tbrservice.plus

heritagehousehotels.com

drwbuildersco.com

lacsghb.com

wain3x.com

dadreview.club

continiutycp.com

cockgirls.com

48mpt.xyz

033skz.xyz

Targets

    • Target

      Shipping Documents.exe

    • Size

      664KB

    • MD5

      c35e97b32cab03a7fea48ccc3fb716b8

    • SHA1

      4b173de88a0bff2a405d37f0f59e222b9525c5a3

    • SHA256

      e8232a6b14f66804622f2ea2bfd8c2d8bfe5eef292f664c5801844b96a84d125

    • SHA512

      b1cacbfd4c2153d7b1adee03d5a3b72ca586df8aee48b2c0c7e08e0f039dda497eb67c7d0ac810c81112b4cfcd1b41da47a48d9308b088d60688a4815abd7071

    Score
    10/10
    xloaderzqzwloaderratsuricatapersistence

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Sets service image path in registry

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks